US Feeling the Safe Harbor Agreement Squeeze

In a role that is becoming increasingly common for Microsoft. They have again spoken out about the state of privacy the US. A recent blog post by Brad Smith, Microsoft’s president and chief legal officer, he responded to the Safe Harbor ruling by the CJEU. In it, he made some radical declarations. The recent ruling of voiding the Safe Harbor agreement by the Court of Justice of the European Union (CJEU) has put over 4,000 companies who deal with trans-Atlantic business in a tough spot.

Safe Harbor Agreement Collapse is Dangerous to Companies’ Bottom Line

Because of the documents released by Edward Snowden, the highest court determined that due to no fault of their own, US companies could not comply with the privacy standards guaranteed by the EU.

Companies complying with the Safe Harbor Agreement for the past 15 years had to either self certify or get a third party to certify that they were adhering to the standards and regulations set forth by the EU in the Data Protection Directive. The Safe Harbor Agreement guaranteed the data protection that is “essentially equivalent” to that found in the EU. In light of the information garnered from the Snowden documents the CJEU has come to realize that no data in the US is safe.

What this ruling does then, is essentially make the transfer of data from the EU to America illegal. Although some companies have seen this potential coming for a while and have signed supplementary contracts with European customers regarding the protection of their data; it’s understood that under scrutiny these agreements wouldn’t hold up in court.

The problem is the permission given to US agencies in Section 702 of the Foreign Intelligence Surveillance Act (FISA), and executive order 12333 signed by President Reagan. Using these, the US government has clearly overstepped the protective boundaries set forth in the Safe Harbor agreement.

The ruling forces companies to undergo either an expensive overhaul or stop dealing with the European market altogether. Because of the Snowden documents, trans-Atlantic companies have already felt a hit to their bottom line. Several European companies offer direct competition without the risk of loosing control of their customers’ data. Furthermore, extended exposure to the absence of the Safe Harbor Agreement, or an equivalent, will be an open wound to over 4,000 US companies, continually bleeding them dry.

A month ago LiquidVPN brought you news about Microsoft’s fight with the Department of Justice trying to stop them from getting their hands on data stored in Ireland. US courts have already ruled once in the government’s favor to allow the forceful seizure of the data from the servers in Ireland. That ruling is currently being appealed by Microsoft. The case is monumental because it will not only provide precedence for US agencies to reach farther beyond their borders but may also do the same for other countries, like the GCHQ in the UK.

Legal rules that were written at the dawn of the personal computer are no longer adequate for an era with ubiquitous mobile devices connected to the cloud. In both the United States and Europe, we need new laws adapted to a new technological world.

-Brad Smith

While Microsoft is actively combating the DOJ in court, Facebook is busy changing their policies to be more EU friendly. ArsTechnica reported on October 19th that Facebook is now sending messages to its users who it suspects of being watched by the government. This move is likely a direct response to the CJEU ruling.

Facebook is not telling exactly how they determine if they strongly believe that a hacker is targeting your account of obvious reasons. However, Alex Stamos, Facebook’s seurity chief, did say, “It’s important to understand that this warning is not related to any compromise of Facebook’s platform or systems and that having an account compromised in this manner may indicate that your computer or mobile device has been infected with malware.”

The message that Facebook users see if their account is strongly suspected of being targeted by a hacker working for a nation state.

The Next Steps to Restoring the Safe Harbor Agreement

Congress has already made steps to repair the Safe Harbor Agreement. On October 13th the House of Representatives passed the Judicial Redress Act. Although not a complete fix for restoring the Safe Harbor Agreement this bill does at least address one major issue cited in the CJEU’s ruling.

If the Judicial Redress Act becomes law then foreigners will have the same rights as US citizens when it comes to checking the government on the use of their data. Like US citizens, EU citizens will have the right to go to court to challenge the government if they feel their data has been unlawfully shared or otherwise mishandled.

The bill is not in the hands of the Senate. The potential law will not to put an end to the Safe Harbor dispute, but in a press release by the Software & Information Industry Association it is expected to at least, “smooth the waters for a new agreement between the European Union and the United States on a Safe Harbor Framework for data flows.” The US and EU have until January to come to an agreement before the CJEU is able to begin enforcing the ruling.